[NTLUG:Discuss] Eggdrop
Brian Koontz
brian at pongonova.net
Wed May 6 15:02:39 CDT 2009
On Wed, May 06, 2009 at 01:49:46PM -0700, George Lass wrote:
> Looks like I have left my ssh port open for a bit too long, and my
> old RedHat 9.0 (yes the original free RedHat) machine has been
> hacked. I found a program called eggdrop running on it. After
> securing my machine, I found a few web pages on eggdrop, calling it
> an IRC bot. It *seems* like it might be harmless, but given that
> it had been running for a couple of weeks, I'm wondering what kind
> of damage it might have done, or what data it might have stolen.
> Anyone have any previous experience with it?
The machine can no longer be trusted. Best course of action is to
back up your non-binary data, and start with a new install. I would
imagine there's a rootkit lurking somewhere that you just haven't
found yet.
After the new install, consider moving your SSH port to something
other than port 22 (the number of brute force attacks will drop
appreciably). Disable root access via sshd, and I'd also suggest
limiting access to sshd to only selected IP addresses (via deny/allow
settings) and users.
--Brian
More information about the Discuss
mailing list